FBI: North Korea Behind $1.5 Billion Bybit Cryptocurrency Exchange Heist

This week, the FBI officially attributed the massive hack of cryptocurrency exchange Bybit to hackers linked to North Korea, confirming what several security researchers and blockchain intelligence platforms have already reported.

At the same time, more details behind the $1.5 billion hack, which occurred on Feb. 21 and is the largest digital heist in the history of cryptocurrency, continued to emerge this week.

Key Details:

• The FBI on Wednesday linked the attack to TraderTraitor, a known North Korean state-sponsored APT (commonly tracked as Lazarus Group or APT38) that has a track record of targeting blockchain companies, decentralized finance platforms, cryptocurrency trading companies, venture capital funds investing in crypto, and more

• The FBI published Ethereum addresses that are connected by TraderTraitor actors, and urged blockchain exchanges, bridges, analytics firms, and RPC node operators – which provide the infrastructure allowing users to read blockchain data and send transactions – to block transactions derived from the addresses

• Meanwhile, Bybit said it has taken several steps over the past week to address the incident, including working with industry experts to trace stolen assets and creating a recovery bounty program that offers up to 10 percent of the recovered amount to people and entities that help to retrieve stolen crypto

The Background: In the week after the hack, more details have emerged about how it initially occurred. Bybit published the initial results of a forensics investigation into the hack, which was led by Verichains and Sygnia Labs. According to the report, the root cause of the attack is linked to malicious code stemming from SafeWallet’s infrastructure. According to the investigation, a benign JavaScript file was replaced with malicious code on Feb. 19, targeting Bybit’s Ethereum cold wallet (a “cold wallet” is a method for storing private cryptocurrency keys offline). The attack was designed to activate during the next Bybit transaction, which happened on Feb. 21.

SafeWallet, an app that allows users to manage crypto assets across multiple platforms, also published a statement on Twitter that it was targeted by North Korean hackers, who compromised the machine of a SafeWallet developer, resulting in disguised malicious transactions.

When the hack actually occurred on Feb. 21, it appeared to be a routine transfer from Bybit’s Ethereum cold wallet to a hot wallet (this type of wallet, connected to the internet, is used to send and receive cryptocurrency). According to Chainalysis, the hackers rerouted approximately 401,000 ETH (valued at $1.5 billion during the attack) to the attacker-controlled addresses. These stolen assets were then moved through a wide net of intermediary addresses, decentralized exchanges and more – a dispersion tactic used by hackers during crypto heists to hide their footprints.

Currently, “TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” said the FBI on Wednesday. “It is expected these assets will be further laundered and eventually converted to fiat currency.”

The Big Picture: For more than a decade, we’ve seen it again and again: Hacks of cryptocurrency entities (many of which have been linked to North Korea) that result in the theft of millions of dollars. According to Chainalysis, in 2024 North Korea-affiliated actors stole $1.34 billion across 47 incidents (a 102.88 percent increase in value stolen over the previous year). The Bybit hack alone has led to almost $160 million more stolen than all funds stolen by North Korea throughout 2024, said Chainalysis.